Tag Archive: Model Clauses

EUROPE: European Parliament Passes Resolution Calling for Improvement of EU-U.S. Privacy Shield

By: Dr. Thomas Jansen and Mari Martin

On May 25, 2016, the European Parliament (EP) passed a non-binding resolution calling for the European Commission (EC) to reopen negotiations with the United States in order to improve perceived “deficiencies” in the EU-U.S. Privacy Shield.

The resolution requested improvements beyond the agreement reached between U.S. and EU negotiators in February. On February 29, 2016, the EC published a draft decision that approved the Privacy Shield arrangement as adequate. The Privacy Shield is intended to replace the EU-U.S. Safe Harbor Framework, which the Court of Justice of the European Union invalidated in October 2015.

The resolution, which the EP adopted in a 501-119 vote with 31 abstentions, largely supports criticisms in the April 13, 2016 Opinion issued by the Article 29 Working Party. Although the resolution acknowledged that the Privacy Shield contains “substantial improvements” compared to the Safe Harbor arrangement, it also called on the EC to “continue the dialogue with the U.S. administration in order to negotiate further improvements to the Privacy Shield arrangement in the light of its current deficiencies.”

The “deficiencies” about which the Members of the European Parliament (MEPs) voiced concerns include:

  • the lack of restriction on access to European citizens’ personal data by U.S. intelligence agencies and the possibility of their collecting bulk data;
  • the proposed U.S. Ombudsman, created to review the complaints of European citizens, which the resolution called neither“sufficiently independent” nor “vested with adequate powers to effectively exercise and enforce its duty”; and
  • the complexity of the redress mechanism, which the resolution requested the EC and U.S. make more “user-friendly and effective.”

Further, the resolution called on the EC to:

  • fully implement the recommendations in the April 13, 2016 Opinion of the Article 29 Data Protection Working Party;
  • conduct robust periodic reviews of its decision that the protection provided by the Privacy Shield is adequate, particularly in the light of the new General Data Protection Regulation, which will go into effect in 2018; and
  • continue its dialogue with the U.S. to negotiate further improvements to the Privacy Shield.

The Article 31 Committee responsible for approving the Privacy Shield will take the EP’s resolution into consideration before voting on its adequacy. The Committee, which is composed of Member State representatives and chaired by the EC, is still deliberating regarding the Privacy Shield. The EC is expected to present to the Article 31 Committee a revised adequacy decision at the beginning of June. A vote is intended by the end of the month, and the EC aims to conclude approval of the Privacy Shield by mid-July.

Practical Implications

Invalidation of the EU-U.S. Safe Harbor Framework created considerable uncertainty for both businesses and consumers regarding transatlantic data transfer. Speaking after the European Parliament adopted its resolution, MEP Timothy Kirkhope, a member of the UK Conservative Party, stated:

“The Privacy Shield needs some clarifications as to how it will work in practice, which the Commission have said it is pursuing, but getting the Privacy Shield up and running swiftly is essential for businesses operating across the Atlantic. Businesses and consumers were left in legal limbo and uncertainty when Safe Harbor was rejected. It is about time that the businesses and their clients have legal certainty.”

The resolution should contribute to increased clarity for both businesses and individuals regarding data transfer between the EU and United States.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-european-parliament-passes-resolution-calling-for-improvement-of-eu-u-s-privacy-shield/

EUROPE: Irish Data Protection Authority to Refer Legality of Model Clauses to CJEU

By: Dr. Thomas Jansen and Mari Martin

With the Privacy Shield on hold, EU Model Clauses are the principal legal means under which personal data transfers from Europe to the US are occurring. However, those too are under attack by privacy advocates.

On May 25, 2016, the Irish Data Protection Authority issued a press release stating its intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. At issue is the continued mass surveillance by the U.S. government, the same basis on which the Safe Harbor arrangement was struck down.

This is the latest development following the 2013 legal challenge brought by petitioner Max Schrems, which resulted in Safe Harbor being struck down by the Court of Justice of the European Union in October 2016. Following the CJEU’s ruling on Safe Harbor, Model Clauses remained one legal basis available to organizations seeking EU-U.S. data transfer.

In a press release from May 25, Schrems stated, “I have received the draft decision by the Irish DPC yesterday night and we were informed that the DPC is intending to file the necessary proceedings with the Irish courts within the next days.”

After the CJEU invalidated the Safe Harbor scheme, many organizations, including Facebook, began using Model Clauses as the new basis of transfer for EU data. The EU Article 29 Working Party has stated that it is also assessing the legality of the Model Clauses but that organizations may continue to use them in the interim.

Binding corporate rules and obtaining consent from data subjects remain unchallenged mechanisms of data transfer to the US. However, alleged mass surveillance by the U.S. government remains the common core issue despite limitations placed upon the bulk collection of intelligence information under to Presidential Policy Directive 28 so that it is only for purposes of detecting and countering threats to national security, the proliferation of weapons of mass destruction or violations of trade sanctions. The Presidential Directive also established safeguards for the personal information of all individuals, regardless of the nationality of the individual.

More than a year will likely pass before the CJEU issues a ruling on this latest challenge leaving uncertainty over the most commonly used mechanisms for personal data transfers to the US. The Irish DPA referred the original case brought by Schrems to the CJEU on June 18, 2014, and the Court issued its decision October 6, 2015. Unless and until the CJEU issues a decision striking down the EC decisions establishing the Model Clauses (Decision 2001/497/EC, Decision 2004/915/EC and Decision 2010/87/EU), the Model Clauses remain valid. Until this time, organizations may continue to rely on them for data transfers.

Practical Implications

In the absence of a Privacy Shield framework, if Model Clauses are struck down, companies relying on them will be forced to significantly transform their operations in order to follow binding corporate rules or obtain data subject consent, while providing questionable meaningful benefits to EU citizen privacy.

The effect of a decision striking down the Model Clauses would be more serious than the Safe Harbor invalidation and could conceivably disrupt all personal data transfers outside the European Union except to the small number of countries that have been deemed to have “adequate” privacy regimes. For this reason, the decision would be unlikely to be enforced right away.

We will post updates regarding further developments.


Permanent link to this article: http://blogs.dlapiper.com/privacymatters/irish-data-protection-authority-to-refer-legality-of-model-clauses-to-cjeu/

EUROPE – Transferring Personal Data to the US – Model Clauses Pros & Cons

By Giangi Olivi, Diego Ramos and Carol Umhoefer

As discussed in our previous posts, after the European Court of Justice decision in the Schrems case, transfers of personal data from the EU to the United States on the sole basis of the EU-US Safe Harbor (i.e. the principles and FAQ issued by the U.S. Department of Commerce in July 2000 that were the subject of an adequacy decision by the European Commission) are no longer legal.

Safe Harbor is used by more than 4,000 companies, including significant social media players, facilitating the flows of data between Europe and the United States; its invalidation has potentially serious economic consequences. Here are some thoughts for companies considering alternatives to the Safe Harbor. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-transferring-personal-data-to-the-us-model-clauses-pros-cons/

WEBINAR RECORDING: Safe Harbor invalidation next steps – EU Model Clauses do’s and don’ts

Data Transfer Image WebEU-US Safe Harbor-certified companies and their customers are realizing that – barring the emergence of Safe Harbor 2.0 by January 31, 2016 – in most situations they will need to rely on European Commission-approved standard contractual clauses (better known as Model Clauses) to transfer personal data from the EEA to the US.

Please see below for a link to our webinar discussing EU Model Clauses do’s and don’ts.  This webinar was held on Monday, November 30, 2015.

Please access the webinar recording here.

Our Data Protection, Privacy and Security team have many years of experience implementing data transfer arrangements based on Model Clauses and cover concerns such as:

  • Selecting which Model Clauses to use
  • When Model Clauses can’t be used
  • When Model Clauses will need to be supplemented
  • Hidden risks in the Model Clauses
  • Other actions you may need to implement when adopting Model Clauses



Permanent link to this article: http://blogs.dlapiper.com/privacymatters/webinar-recording-safe-harbor-invalidation-next-steps-eu-model-clauses-dos-and-donts/